Out of the box this isn't possible (yet) as far as I know.
However, you could set the required authentication to “no” and create your own authentication method and block a “user” based on your own logic. Another side effect of this method is that there will be no creation of a session object for each API call which might be benefitial for your performance.
Hi,
If account inherits from System.User, as shown below:
So, you can set the block attribute to true:
You can use an attribute in the account to keep track of the number of attempts, and when it reaches a certain threshold, you can set the block.
And if necessary, you can use an authentication module from the marketplace to control the login process.